tags:

views:

96

answers:

1
+1  Q: 

WCF Authentication using SQL Membership Provider

Hopefully you folks can clarify some of this for me. I have a web-application using the Sql Membership Provider and it talks to a second web-application through a WCF Service. Both applications share the same Sql Membership Provider datastore...but I need each WCF Service call to authenticate the user.

Now, I've looked at a LOT of samples, but I feel like the samples I've seen either leave out certain code because it "should" be obvious to me, or I mis-understand how WCF handles the request (see expected code below).

I'm grateful for any help...

HERE'S WHAT I ALREADY KNOW HOW TO DO

  1. I know how to configure the Sql Membership on both ends.
  2. I know how to setup the wsHttpBinding
  3. I know how to setup the services certificate used in transport security

HERE'S WHAT I AM CONFUSED ON

  1. How can I pass the Membership password (...you can't)
  2. Do I pass the authentication cookie? If so, how?
  3. Do I create a "known" username and password not related to the user (themselves)?

IN THE WEB CLIENT I WOULD EXPECT TO SEE CODE SOMETHING LIKE THIS

protected void btnLogin_Click(object sender, EventArgs e)
{
    // Logging into the web-application is known and easy.
    if (Membership.ValidateUser("MyUserName", "MyPassword"))
    {
        FormsAuthentication.SetAuthCookie("MyUserName", true);
        FormsAuthentication.RedirectFromLoginPage("MyUserName", false);
    }
}

protected ServiceReference1.Contractor getContractor(Int32 key)
{
    // I expect something "like" this on the client call.
    MembershipUser user = Membership.GetUser("MyUserName");

    ServiceReference1.FishDataClient wcfService = new ServiceReference1.FishDataClient();

    // You can't retreive the users password directly,
    // nor can you get the hash from the SqlMembershipProvider.
    wcfService.ChannelFactory.Credentials.UserName.UserName = user.UserName;
    // So doing something like this would not be possible.
    wcfService.ChannelFactory.Credentials.UserName.Password = "??????";

    // So how is the web service going to authenticate the user from it's
    // references to the same SqlMembershipProvider (database).
    ServiceReference1.Contractor contractor = wcfService.GetContractor(key);

    wcfService.Close();
    wcfService = null;

    return contractor;
}

IN THE WCF SERVICE I WOULD EXPECT TO SEE CODE SOMETHING LIKE THIS

[PrincipalPermission(SecurityAction.Demand, Role = "User")]
public Contractor GetContractor(Int32 key)
{
    ServiceSecurityContext context = ServiceSecurityContext.Current;
    Contractor contractor = new Contractor();

    // What goes here?  I would expect something like this...
    if (Membership.ValidateUser("???????", "???????"))
        contractor.Get(key);

    return contractor;
}
A: 

I'm assuming your WCF membership provider and your web application membership provider are using the same backend user set.

If so you would want to share authentication cookies between the applications. You can find more information on how to do that here.

Next you need to pass the authentication cookie that came with the web application request to the WCF service call. You can see how to do that here.

The idea is the user logs into your web application and by doing so is logged into your WCF service.

Daniel  2010-08-10 17:24:54
Q: How does passing the cookie help to enforce the "SecurityAction.Demand" above?
 2010-08-10 20:20:40
Other examples online "say" you can pass credentials from the client, such that, WCF checks the Sql Membership and enforces the "Role" located in the "SecurityAction.Demand". My issue is HOW does WCF know how to do this? Is it handled "under the hood" black-box style?
 2010-08-10 20:26:27
When the user is authenticated an object is created that implements the IIdenty interface. The demand will use this object to enforce the check. The IIdentity object will be created by the Membership provider when the user is authenticated using the information in the cookie.
Daniel  2010-08-13 22:08:03

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?